Identity Server >


An API driven, cloud-native open source IAM solution for Customer IAM. It provides a highly extensible developer-friendly platform to federate, authenticate & manage identities across both enterprise and cloud environments.

WSO2 Identity Server Architecture

Enterprise/Cloud Single Sign-On and Federation

  • Single Sign-On (SSO) via SAML2, OpenID Connect, and WS-Federation Passive
  • SAML 2.0 based Single Logout (SLO), metadata profile, and assertion query/request profile
  • OpenID Connect session management, discover and dynamic client registration
  • Federated SSO via SAML2, OpenID Connect, and WS-Federation Passive with external identity providers
  • Enterprise SSO with applications such as Microsoft Office 365, Microsoft Sharepoint, Microsoft Dynamics, and Microsoft Exchange
    • Provisioning, SLO, and cloud synchronization capabilities with Microsoft Office 365
    • Federating multiple Azure AD/Office365 domains to a single tenant
  • SSO between on-premise applications and cloud applications that support heterogeneous SSO protocols (identity bridging)
  • Simple service provider (SP) and identity provider (IDP) ecosystem management because SPs and IDPs are decoupled from each other (identity hub)
  • Ability to consume identities and attributes from third party IDPs by translating between different claim dialects
  • White label login and registration pages
  • Rule-based authorization support for SSO
  • Google ReCaptcha support for SSO
  • Cross protocol single logout

Strong Authentication

  • Context based authentication via user attributes, user behavior, user risk profile, request parameters and machine learning algorithms
    • Adaptive authentication enhancements by developing plugins for VS Code and Atom and git integration
  • Support for industry-leading MFA with FIDO 2.0 including passwordless authentication
  • Support for multi-option/multi-step authentication
  • Integrated Windows authentication (IWA) with Kerberos
  • X.509 authentication
  • 2-factor authentication based on Fast IDentity Online (FIDO)
  • Time-based One-time Password (TOTP) based authentication

Account management and Identity provisioning

User/Group management

  • Manage users and groups
  • Claim management that supports decoupling of application dialect from underlying user store implementation
  • Flexible profile management for users supporting multiple profiles per use
  • Ability to link multiple user accounts that may belong to a single user
  • Support for heterogeneous user stores, either through built-in lightweight directory access protocol (LDAP) - powered by ApacheDS, an external LDAP, Microsoft Active Directory, or any JDBC database
  • Ability to support multiple user stores
  • Self-service user portal for business end-users to manage their credentials, profile, and authorized applications
  • Configurable password policies
  • Account locking for invalid failed login attempts
  • Account recovery with email and secret questions
  • Password history validation
  • Password pattern configuration
  • Account locking in single and multi-tenant environments
  • Account suspension reminders and locking idle accounts
  • Google ReCaptcha support for password recovery flow and self sign up
  • HTML support for email templates
  • Email template internalization and dynamic properties for email templates
  • User management REST APIs for end-users to manage their activities


  • Provision users and groups to WSO2 Identity Server using System for Cross-domain Identity Management (SCIM) 1.1 and 2.0 or WSO2's proprietary SOAP APIs
  • Provision users to external identity providers using SCIM 1.1
  • Create identities on the fly with just-in-time (JIT) provisioning
  • Rule-based identity provisioning


  • Multi-option/Multi-step approval template based workflows for user and role management operations

Access Control

Fine-grained authorization

  • Manage user entitlements
  • Role-based access control (RBAC)
  • Fine-grained policy-based access control based on eXtensible Access Control Markup Language (XACML) 2.0/3.0
  • Explore policy impact prior to publishing the policies to runtime using the try-it tool
  • High-performance network protocol (over Apache Thrift) for Policy Enforcement Point/Policy Decision Point (PEP/PDP) interaction
  • User-friendly Policy Administration Point (PAP) to edit XACML 2.0/3.0 policies
  • Manage multiple PDPs from a single PAP
  • Notifications on policy updates
  • Multiple Policy Information Points (PIP) to retrieve additional attributes required for policy evaluation
  • Integrates with WSO2 Enterprise Service Bus for XACML 3.0 based authorization for REST or SOAP services
  • XACML REST profile support

API Security and Microservices Security

  • User managed access based on OAuth2 protocol
  • Delegated access control using OAuth2 and WS-Trust
  • Support for SAML2 bearer grant type, JWT assertion grant type and NTLM-IWA grant type
  • Microprofile JWT 1.0 support for RBAC
  • Support to validate JWTs based on JSON web key set
  • OAuth2 token revocation support
  • OAuth token introspection
  • OAuth 2.0 form post response mode
  • Integrates with WSO2 API Manager for OAuth2 key management

Monitoring, Reporting and Auditing

  • Login events and session monitoring
  • Monitor logged in users/sessions
  • Manually terminate user sessions
  • Admin forced password reset
  • Real-time security alerting for suspicious login activities and abnormal sessions
  • Auditing of privileged operations using distributed auditing system (XDAS)
  • Built-in collection and monitoring of standard access and performance statistics
  • Key metrics monitoring and management using JMX MBeans

GDPR Compliance

  • Comprehensive RESTful API which supports Kantara consent management specification. With the use of this API, you can enable consent management for any application without being vendor lock.
  • Privacy ToolKit to remove references of a deleted user's identity as and when required.
  • User Consent for Self Sign Up to provide consent when a user self registers to WSO2 Identity Server.
  • User Consent for Single-Sign-On/federation to provide users with choice and control over sharing their personal data.
  • Self care portal to manage user's consents, where users can go back to their consent declarations at any time for review, validation, revocation, or other changes.
  • Personal Information Export Capability so end users can retrieve personal information stored in WSO2 Identity Server.
  • User Consents in OpenID Connect which integrate User Consent Management into OIDC Authorization Code and Implicit flow.
  • Consent Purposes Management capabilities in administrative portal to provide an interactive UI to manage consent purposes/PII categories.

Deployment Flexibility

  • Lightweight, developer-friendly and easy to deploy
  • Container friendly deployment
  • Clustering for high availability deployment
  • Choice of deployment to on-premise servers, private cloud, or managed cloud, without configuration changes
  • Complete SOAP API for integrating or embedding into any application or system
  • Centralized configuration management across different deployment environments with life cycles and versioning with integration to WSO2 Governance Registry

Pluggable, Extensible and Themable

  • Plug-in model for user stores, authenticators, OAuth2 grant types, etc.
  • Extension points allow integration with legacy systems
  • Numerous extension points to allow customization of certain aspects of the product if required
  • White label login and registration pages